Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar

Download Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar

Post on 19-Dec-2015

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar </li> <li> Slide 2 </li> <li> A Problem with Program Analysis Whole Program Analysis not always possible Availability: Client code missing Scalability: Whole system too large Client Library </li> <li> Slide 3 </li> <li> Modular Program Analysis Find interface for Library Use interface to verify client Client Library </li> <li> Slide 4 </li> <li> Modular Program Analysis Availability: Interface independent of Client Scalability: Interface small, abstraction of Library Library Interface </li> <li> Slide 5 </li> <li> What is an Interface ? Interface : Constraints on legal uses of API API Calls after which library is in a legal state Library LegalError Interface Library StatesAPI </li> <li> Slide 6 </li> <li> Library LegalError Example Legal e=0 Error e!=0 Library StatesInterfaceAPI n0n0 n1n1 acq rel n2n2 acq read rel Safe: Interface Legal Call Sequences Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} </li> <li> Slide 7 </li> <li> n0n0 n1n1 acq / x rel / x n2n2 acq / x write read write read rel / x n0n0 n1n1 acq rel n2n2 acq read rel Safety Not Enough! InterfaceAPI Disallows calls to write Useless for Modular Program Analysis Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;} </li> <li> Slide 8 </li> <li> Permissive Interfaces InterfaceAPI n0n0 n1n1 acq n3n3 read rel/x Permissive: Legal Call Sequences Interface Modular Analysis: Safe + Permissive Interfaces Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;} n2n2 acqx relx write read </li> <li> Slide 9 </li> <li> Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments </li> <li> Slide 10 </li> <li> Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments </li> <li> Slide 11 </li> <li> Typestate Interpretations n0n0 n1n1 acq rel n2n2 acq read rel Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 </li> <li> Slide 12 </li> <li> Typestate Interpretations acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0n0 n1n1 acq n2n2 a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r </li> <li> Slide 13 </li> <li> Typestate Interpretations n0n0 n1n1 n2n2 a=0 a0a0 e0e0 rel read read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} (P2) Every edge: Post(r, f ) r n n f r r </li> <li> Slide 14 </li> <li> Typestate Interpretations n0n0 n1n1 n2n2 a=0 a0a0 e0e0 rel rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} (P2) Every edge: Post(r, f ) r n n f r r </li> <li> Slide 15 </li> <li> Typestate Interpretations n0n0 n1n1 acq rel n2n2 acq read rel Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 </li> <li> Slide 16 </li> <li> Safe Interpretations Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P3) Every legal typestate: r : Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0 </li> <li> Slide 17 </li> <li> Safe Interpretations Theorem: Safe Interpretation implies Safe Interface (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P3) Every legal typestate: r : Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0 </li> <li> Slide 18 </li> <li> Permissive Interpretations Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P4) Every illegal typestate: r Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0 </li> <li> Slide 19 </li> <li> Permissive Interpretations (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P4) Every illegal typestate: r Err n r Theorem: Permissive Interpretation implies Permissive Interface n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0 </li> <li> Slide 20 </li> <li> Sanity Check API n0n0 n1n1 acq /x rel /x n2n2 acq/x write read write read rel/x Q: Why not a permissive interface ? Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;} a=0 a0a0 e0e0 </li> <li> Slide 21 </li> <li> Sanity Check n1n1 n2n2 write write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} a0a0 e0e0 A: (P2) fails! Not an Interpretation (P2) Every edge: Post(r, f ) r n n f r r Q: Why not a permissive interface ? e 0 e=0 </li> <li> Slide 22 </li> <li> Sanity Check n1n1 n2n2 write write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} a0a0 e 0 e=0 (P4) Every illegal typestate: r Err n r A: (P4) fails! Not Permissive Interpretation Q: Why not a permissive interface ? </li> <li> Slide 23 </li> <li> Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments </li> <li> Slide 24 </li> <li> Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I. </li> <li> Slide 25 </li> <li> A. Interface Checking Check Safe, Permissive independently Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. </li> <li> Slide 26 </li> <li> A. Interface Checking [Safe] Interface n0n0 acq rel n2n2 acq read rel Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Library n1n1 </li> <li> Slide 27 </li> <li> A. Interface Checking [Safe] Interface Client Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Idea: Analyze Interface Client + Library Verify assertion: Client in legal location ) Library in legal state Library n0n0 acq rel n2n2 acq read rel n1n1 Legal e=0 Error e!=0 Library States n </li> <li> Slide 28 </li> <li> B. Interface Checking [Permissive] Interface n0n0 acq rel n2n2 acq read rel Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Problem B: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Library n1n1 </li> <li> Slide 29 </li> <li> B. Interface Checking [Permissive] Interface Client Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Idea: Analyze Interface Client + Library Verify assertion: Client in illegal location ) Library in illegal state Library n0n0 acq rel n2n2 acq read rel n1n1 Legal e=0 Error e!=0 Library States n </li> <li> Slide 30 </li> <li> A. Interface Checking Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. </li> <li> Slide 31 </li> <li> Abstract Reachability Graphs Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. </li> <li> Slide 32 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 </li> <li> Slide 33 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 </li> <li> Slide 34 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() a=0,e=0 0 </li> <li> Slide 35 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() a=0,e=0 0 </li> <li> Slide 36 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() a=0,e=0 0 rel() </li> <li> Slide 37 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() a=0, : e=0 2 : e=0 read() </li> <li> Slide 38 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() 2 acq() 2 : e=0 read() </li> <li> Slide 39 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() 2 : e=0 read() acq() </li> <li> Slide 40 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} n0n0 acq rel n2n2 acq read rel n1n1 ={ a=0,e=0 } a=0,e=0 0 1 acq() : a=0, e=0 rel() 2 : e=0 1 read() acq() read() : a=0, e=0 </li> <li> Slide 41 </li> <li> Abstract Reachability Graphs Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else...</li></ul>

Recommended

View more >